Endpoint Protection

We are having some issues with slow access on our DFS servers. I can see that there are delays and timeouts for file accesses that are affecting users. Reverting to 12.x solves this problem.

I noticed an article describing this problem and it says to disable certain threat detections, I have done this and it does not seem to make any difference.

Has anyone else run across this issue? 14.x MP1.

I should mention that endpoint protection 14.x is only installed on the servers. The clients use a different AV solution, and uninstalling the client (or disabling the client firewall) does not have any affect, the only thing so far that worked around it was reverting the DFS servers SEP version to 12.x.

I believe there was an issue like this, but, it was fixed in 14 MP1. So it's odd and you may want to contact support to let them know.

Any improvement if you Disable the Network Scanning option?

I posted right at the end of the day, now I have some more time to look into this.

Under SONAR->Network settings: I've disabled "Scan files on remote computers".

Under Auto-protect->scan details: I've unchecked "Scan files on remote computers."

This policy change will take a bit to take effect.

As per another article, I've also disabled the "enable denial of service detection" under the firewall policy.

Another note, how do I tell what revision these changes are? And then check the client to see if it updated to the correct policy revision?

It hasn't made any difference. I am going to have to revert back to 12.x soon, it's getting very invasive. I've opened a ticket, if I don't hear from them tomorrow I'll revert.

Did you got some feedback on the case ?

I am just thinking, since you mentioned DFS servers, could it be because you have too many SEP components installed ?

I am saying this, because Symantec did mention that on servers there should be only Auto-Protect enabled and why i am mentioning this is because i also encountered problems in the past 5 years i am managing SEP and i've had problems which were fixed by only letting SEP with 1 component, Auto-Protect.

I know is difficult to test on DFS servers, but when you have OS patching you can use that window to test, who knows, maybe it helps.

We are using Server Full protection, as we were on the 12.x client.

I've been in contact with support and the major change between 12.x and 14.x was Generic Exploit Mitigation. Even though this has been turned off in policy for testing, it does not seem to have an impact. While the little trip-ups happen less frequently they still happen.

I am (right now as I type) pushing out a Basic Server client to the DFS servers, then only time will tell.

I'll try to remember to update this thread if I confirm that to be the issue.

Moving to Server Basic Protection did help, but the problem did not go completely away.

What is more puzzling is that this problem did not occur with 12.x.

I eventually found that there was also a slight misconfiguration in our DFS setup that was causing intermittent problems: some member servers were netbios and others were tcp. I've forced tcp on all DFS member servers and the problem appears to be gone.

So, in short:

On a DFS server:

- Instal the client with AntiVirus and Spyware only.

- Do not scan anything that smells like a remote location (server/drive) - local only.

- Make sure your DFS configuration is correct.

And the problem no longer exists.

Thanks.

In a nutshell yes.

The trip-up was that when setting up DFS you can mix netbios and fqdn and it will not warn you. There's also a Microsoft KB article that has instructions for forcing tcp on DFS so it doesn't do a round-robin type of lookup that can cause delays.

So: force the DFS in tcp/fqdn mode as per KB244380 (unless you use clients older than Win7), and always use fqdn addresses when linking DFS servers together.